Overview
This document will provide some general guidelines and best practices for the use of Deep Freeze in public access settings such as libraries, schools, or other locations where the general public will have access to managed devices.
Note that these are general guidelines and may not reflect your specific operational concerns.
Implementation Considerations.
Customization Code
During the install of Deep Freeze Enterprise you will be required to supply a customization code, this code will need to be between 8 and 32 characters long and will be used to customize the install of Deep Freeze on your client device. If you are using Deep Freeze Cloud your customization code is generated in your cloud instance and maintained securely on our servers.
It is imperative that you record and store this customization code securely.
Customization codes cannot be recovered from an existing installation of Deep Freeze and may be required for future upgrades, and are required in the event that you suffer the loss of your Deep Freeze Enterprise Console and need to reinstall on a new server.
Physical Security
While Deep Freeze can dramatically reduce the number of issues that can happen on a client device you should ensure that you have taken appropriate steps to physically secure your device. This includes;
Password protecting the BIOS/CMOS.
Configuring the machine to boot only from the local hard disk or SSD.
Taking appropriate steps to physically secure the hardware from tampering.
At the end of the day Deep Freeze is a software solution and regardless of the controls in place in the product someone who can physically tamper with the hardware that the software is deployed on will eventually be able to take actions that can damage the system and render it non-operational.
Network Topology
Deep Freeze has some set requirements to be able to be managed remotely either through the Deep Freeze Cloud or the Deep Freeze Enterprise Console.
For the Deep Freeze Cloud devices must have access to the internet to connect to our services and must report to the Deep Freeze Cloud at least once every 30 days to ensure that they can operate without interruption.
The Deep Freeze Enterprise product requires that the client devices be able to communicate with the Deep Freeze Enterprise Console on a specific port number (default 7725). In LAN mode the client devices will attempt to discover the console using broadcasts. If working in a single subnet this will generally work without issue, however if you are working with a more complex network you may need to configure Deep Freeze In LAN/WAN mode and provide the client devices with an IP address or Hostname to communicate with.
If using an IP address we recommend that the address be statically assigned to the machine running the Enterprise Console, if using a host name be aware that this requires that the client devices can correctly resolve the hostname to an IP address to communicate with the Enterprise Console. This may require that you open ports on firewalls or switches to allow the traffic to flow properly between the client and server.
Product Activation
Product Activation for Deep Freeze Enterprise and Standard requires the system to be able to communicate once with our activation server. Once activated the machine will not require re-activation unless the device experiences a significant hardware change, or the device is re-imaged. If deploying the Deep Freeze as part of a master image the device will require re-activation once the image is placed on the target device.
Deployment Considerations
Deployment Methods
The Deep Freeze installers support multiple methods for deployment to client devices. Any management tools that can;
Transfer a file to a client device.
Execute the file with a command line option.
Should be able to remotely deploy the Deep Freeze software to a client device. For Deep Freeze Enterprise the install command would look like;
dfwks.exe /install
Note that this command will reboot the client device when the install process is complete, if this causes issues it can be suppressed with the /NOREBOOT command line switch, however we only recommend this if you instruct your management tool to reboot the device immediately upon completion of the install process.
The Deep Freeze Cloud supports similar commands however the syntax is slightly different owing to the nature of the product. Please consult the Deep Freeze Cloud documentation for further information.
Windows Updates
Please ensure that the client device has been fully updated prior to installing Deep Freeze, if updates are queued or pending on the device the install process will fail.
Fast Startup
Fast Startup in Windows is a feature that can potentially cause client devices to look like they are retaining data on the system when rebooted, we recommend that this feature be disabled on devices running Deep Freeze. Further information on this is linked below;
3rd Party Antivirus Solutions
3rd Party Antivirus Solutions will need to be configured to exempt the Faronics Deep Freeze product(s) from their real time protection and we further recommend that during upgrades of our software that these products are disabled during the install process.
Further details on the specific files and folders is documented here;
Data Retention
If you have an application that will require data to be retained on the client device this can be performed with the Data Igloo utility that we produce. This utility can preserve folders, registry keys, and even entire user profiles on a frozen machine when configured on a device. This is done by redirecting the data into a thawed partition or ThawSpace so that it looks like it is in the original location when in reality it is being stored on a volume that is being exempted from the Deep Freeze protection.
Maintenance Concerns
Windows Updates
Deep Freeze, by default, will take steps to control the process of running Windows Updates on client devices; the measures that are taken will cause manual update checks to fail when performed on the client device. This can also impact the ability to access and use the Windows Store while the device is frozen. In general it is recommended that Deep Freeze be configured to run Windows Updates and to control that process as part of a scheduled Windows Update Task.
These tasks leverage logic that has an understanding of how a device running Deep Freeze behaves and will take steps to avoid potentially problematic situations that can occur when patching an operating system using tools that do not realize that a reboot-to-restore application is in place on the device.
Timing of the maintenance process is something that would need to be determined based on the needs of your users, generally we recommend selecting maintenance timings so that they occur outside of your normal working hours
Regardless of the options you select, Faronics does not recommend using Deep Freeze to completely stop the process of performing updates on client devices. This leaves systems in a potentially vulnerable state and can create headaches later when attempting to catch up on updates that have been deferred.
Antivirus Updates
Third party antivirus software, like any other product, will require that Deep Freeze be disabled prior to the installation of updates on the client device. Depending on your antivirus package this can be done either by scheduling the updates to occur during a thawed period configured in the Deep Freeze configuration, or through a command line that is inserted into a batch file task in the Deep Freeze configuration.
Some customers have attempted in the past mapping their antivirus solution to a thawed partition or a ThawSpace. Faronics however does not recommend this as 3rd party solutions may not understand the nature of a machine running Deep Freeze and may attempt to install files into new paths without warning. If you are in a situation where antivirus software needs to be updating on a client device without losing the updates when rebooted through the day, Faronics does maintain a product that does support this functionality at an additional cost.